remove outdated files

apache-tomcat-10.1.43-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmhkU9cACgkQHPApP6U8
-pFhElw/+PtORhhIobN6tQaSZYWQ8wfgNnd+gYpT31sp7ufUmKpHDYU0/FeU/kCmZ
-FEIPbxPfEA4vHjbJh6E+sN59+s8HO5A255M3qum/NIJW8XsN5EdZcn+8fZVogMp7
-jWtnB7A9TPZ32mOljY7GXfXe4Da7PUoH8DZgD+eJ/iXrYoK6dgha5Z0cUQWuHq7j
-h/nCajbnNhsicIipAXUlUEwkWi6br3CPSFTdULmG9WvxgUEvKetSftOScqtOCE5C
-Tb5SZFyHuui2BAT9d6D6Varjae8GcpvkBupa6YhL981jERrGybo38IfSP2HWAlwP
-vQIuCGkhSoe/Nn65f2UxMiftyWPY8AgyedRFzE2EXxyxWZCOXksbovvqlhKxoStk
-MofhhAMhNApdk7d+wipuLcjRXdQBXo5PSo0782uDE+Fyl7sTl7dRnVmQNCTyrVUg
-/bFqMUzuQS7znqXNj+0yD9x1aC+LeiNMsvYTfPihqv7SeJUqz10CyqkkO8aYetGJ
-RhHlcrzl0+hsCzyYV8W2BG28GHfTRxSfYA43tlTqg5c7BFzOs3NlJFLwMcxToszw
-7Lb2xXevGnBRSM27UbXeLFXr9/xDiMu9C0fxAIpCNKhFVIidNoJ/vvIkMtj38xzT
-DWz0EQB/8TSwfEmqs+c5uppziZa7eN6iJfWBp18IqPLC1wPgKGY=
-=VK2I
------END PGP SIGNATURE-----

apache-tomcat-10.1.48-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmjqaQcACgkQHPApP6U8
+pFg4nA/9GL9PMb0aac03wBzfo6pXcg1NtcGNO7engbG00WhfLvFfmyBCtg3YWwYq
+os87O5OuzpF8TJQtxLWqqWDoJXA7FFqbhrIgJHJMYKrwgXJEMGgraekYov+oY84U
+GPf0stsyF8HdLaXaCfofQ6L3lPzybMku6ZDhwGPabXtanNVhOci77gCzt4rep8yT
+5SbNkqF+g3rPKbO4N1F5CC74eIYqS4gZhr8OOWLcGoEssQR2SeScudMeFjqX0Bml
+a5kK6fa7ffEaoyYol1G3UygL6PcL5PeeNw8QC96HjKeSLfEuFiUKNucRICy8DjOu
+qiOlZcUmKDev8vTxTqZOnzWgmTi428VRV2DoaP8LxOvpzycQdk3oBH/ZnzawFChw
+Hw1XcwjX3aV9pzwg9BSt1sYa9mv1ByaliN2UspqWwB2dfr9XHu4J8JMIa+7hZpZl
+5kenrlcrK9woa+Ke/z/XIk9274Fvfark6Bs6VpANXvTprfUYf/9iLuDNRMsmSzGy
+qHaEbb3ob5IWf1TwpRgMEeQplBZzjjD1/62eTJVfkkgTS6vWtF9Ay0Ex9cVtBgAK
+N0qO9biWQ9JIgxNFwUutLzpwthfJE4BaKpQa/sRaJLEvL3zon/aHm5WcCYWX8q44
+mKwBAXda2sXxiHypt7aH3NwEe+S03vwQ4Sp8++5aQPf+2FgqkOM=
+=BqQ+
+-----END PGP SIGNATURE-----

tomcat10.changes

@@ -1,3 +1,153 @@
+-------------------------------------------------------------------
+Thu Nov  6 15:44:46 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 10.1.48
+  * Fixed CVEs:
+    + CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT
+      is enabled (bsc#1252753)
+    + CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control 
+      Sequences vulnerability in Apache Tomcat (bsc#1252905)
+    + CVE-2025-61795: temporary copies during the processing of multipart 
+      upload can lead to a denial of service (bsc#1252756)
+  * Catalina
+    + Fix: Log warnings when the SSO configuration does not comply with the
+      documentation. (remm)
+    + Update: Deprecate the RemoteAddrFilter and RemoteAddValve in favour of the
+      RemoteCIDRFilter and RemoteCIDRValve. (markt)
+    + Fix: 69837: Fix corruption of the class path generated by the Loader when
+      running on Windows. (markt)
+    + Fix: Reject requests that map to invalid Windows file names earlier.
+      (markt)
+    + Fix: 69839: Ensure that changes to session IDs (typically after
+      authentication) are promulgated to the SSO Valve to ensure that SSO
+      entries are fully clean-up on session expiration. Patch provided by Kim
+      Johan Andersson. (markt)
+    + Fix: Fix a race condition in the creation of the storage location for the
+      FileStore. (markt)
+    + Fix: HTTP methods are case-sensitive so always use case sensitive
+      comparisons when comparing HTTP methods. (markt)
+    + Fix: 69814: Ensure that HttpSession.isNew() returns false once the client
+      has joined the session. (markt)
+    + Fix: Further performance improvements for ParameterMap. (jengebr/markt)
+    + Code: Refactor access log time stamps to be based on the Instant request
+      processing starts. (markt)
+    + Fix: Fix a case-sensitivity issue in the trailer header allow list.
+      (markt)
+    + Fix: Be proactive in cleaning up temporary files after a failed multi-part
+      upload rather than waiting for GC to do it. (markt)
+    + Update: Change the digest used to calculate strong ETags (if enabled) for
+      the default Servlet from SHA-1 to SHA-256 to align with the recommendation
+      in RFC 9110 that hash functions used to generate strong ETags should be
+      collision resistant. (markt)
+    + Fix: Correct a regression in the fix for 69781 that broke FileStore.
+      (markt)
+    + Code: Remove a number of unnecessary packages from the
+      catalina-deployer.jar. (markt)
+    + Fix: 69781: Fix concurrent access issues in the session FileStore
+      implementation that were causing lost sessions when the store was used
+      with the PersistentValve. Based on pull request #882 by Aaron Ogburn.
+      (markt)
+    + Fix: Fix handling of QSA and QSD flags in RewriteValve. (markt)
+  * Cluster
+    + Fix: Prevent the channel configuration (sender, receiver, membership
+      service) from being changed unless the channel is fully stopped. (markt)
+    + Fix: Handle spurious wake-ups during leader election for
+      NonBlockingCoordinator. (markt)
+    + Fix: Handle spurious wake-ups during sending of messages by RpcChannel.
+      (markt)
+  * Coyote
+    + Fix: 69848: Fix copy/paste errors in 10.1.47 that meant DELETE requests
+      received via the AJP connector were processed as OPTIONS requests and
+      PROPFIND requests were processed as TRACE. (markt)
+    + Update: Add specific certificate selection code for TLS 1.3 supporting
+      post quantum cryptography. Certificates defined with type MLDSA will be
+      selected depending on the TLS client hello. (remm)
+    + Update: Add groups attribute on SSLHostConfig allowing to restrict which
+      groups can be enabled on the SSL engine. (remm)
+    + Add: Optimize the conversion of HTTP method from byte form to String form.
+      (markt)
+    + Fix: Store HTTP request headers using the original case for the header
+      name rather than forcing it to lower case. (markt)
+    + Update: Add hybrid PQC support to OpenSSL, based on code from mod_ssl.
+      Using this OpenSSL specific code path, additional PQC certificates defined
+      with type MLDSA are added to contexts which use classic certificates.
+      (jfclere/remm)
+    + Fix: Ensure keys are handed out to OpenSSL even if PEMFile fails to
+      process it, with appropriate logging. (remm)
+    + Fix: Add new ML-DSA key algorithm to PEMFile and improve reporting when
+      reading a key fails. (remm)
+    + Fix: Fix possible early timeouts for network operations caused by a
+      spurious wake-up of a waiting thread. Found by Coverity Scan. (markt)
+  * Web applications
+    + Fix: Documentation. Clarify the purpose of the maxPostSize attribute of
+      the Connector element. (markt)
+    + Fix: Avoid NPE in manager webapp displaying certificate information.
+      (remm)
+  * Websocket
+    + Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the
+      underlying Inflater and/or Deflater throwing IllegalStateException when
+      closed rather than NullPointerException as they do in Java 24 and earlier.
+      (markt)
+  * Other
+    + Update: Update Byte Buddy to 1.17.7. (markt)
+    + Update: Update Checkstyle to 11.1.0. (markt)
+    + Update: Update SpotBugs to 4.9.6. (markt)
+    + Update: Update Jsign to 7.2. (markt)
+    + Add: Improvements to Russian translations provided by usmazat. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations provided by tak7iji. (markt)
+    + Update: Minor refactoring in JULI loggers. Patch provided by minjund.
+      (schultz)
+    + Code: Review logging and include the full stack trace and exception
+      message by default rather then just the exception message when logging an
+      error or warning in response to an exception. (markt)
+    + Add: Add escaping to log formatters to align with JSON formatter. (markt)
+    + Update: Update Checkstyle to 11.0.0. (markt)
+
+-------------------------------------------------------------------
+Wed Oct  1 12:23:38 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Do not use update-alternatives
+
+-------------------------------------------------------------------
+Mon Aug 25 13:28:00 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.44
+  * Fixed CVEs:
+    + CVE-2025-48989: Update the HTTP/2 overhead documentation (bsc#1243895)
+  * Catalina
+    + Fix: Fix bloom filter population for archive indexing when using a packed
+      WAR containing one or more JAR files. (markt)
+  * Coyote
+    + Fix: 69748: Add missing call to set keep-alive timeout when using
+      HTTP/1.1 following an async request, which was present for AJP.
+      (remm/markt)
+    + Fix: 69762: Fix possible overflow during HPACK decoding of integers. Note
+      that the maximum permitted value of an HPACK decoded integer is
+      Integer.MAX_VALUE. (markt)
+    + Fix: Update the HTTP/2 overhead documentation - particularly the code
+      comments - to reflect the deprecation of the PRIORITY frame and clarify
+      that a stream reset always triggers an overhead increase. (markt)
+    + Fix: 69762: Additional overflow fix for HPACK decoding of integers. Pull
+      request #880 by Chenjp. (markt)
+  * Cluster
+    + Update: Add enableStatistics configuration attribute for the
+      DeltaManager, defaulting to true. (remm)
+  * WebSocket
+    + Fix: Align the WebSocket extension handling for WebSocket client
+      connections with WebSocket server connections. The WebSocket client now
+      only includes an extension requested by an endpoint in the opening
+      handshake if the WebSocket client supports that extension. (markt)
+  * Web applications
+    + Fix: Manager and Host Manager. Provide the Manager and Host Manager web
+      applications with a dedicated favicon file rather than using the one from
+      the ROOT web application which might not be present or may represent
+      something entirely different. Pull requests #876 and #878 by Simon Arame.
+  * Other
+    + Update: Update Checkstyle to 10.26.1. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt) 
+
 -------------------------------------------------------------------
 Wed Aug  6 12:45:13 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
 

tomcat10.spec

@@ -29,7 +29,7 @@
 %define elspec %{elspec_major}.%{elspec_minor}
 %define major_version 10
 %define minor_version 1
-%define micro_version 43
+%define micro_version 48
 %define java_major 1
 %define java_minor 11
 %define java_version %{java_major}.%{java_minor}
@@ -191,15 +191,11 @@ The documentation of web application for Apache Tomcat.
 %package el-%{elspec_major}_%{elspec_minor}-api
 Summary:        Expression Language v%{elspec} API
 Group:          Development/Libraries/Java
-Requires(post): update-alternatives
-Requires(preun): update-alternatives
 Conflicts:      %{app_name}-implementation-el-api
 Provides:       %{app_name}-el-%{elspec}-api = %{version}-%{release}
 Provides:       %{app_name}-implementation-el-api = %{version}
 Provides:       el_%{elspec_major}_%{elspec_minor}_api = %{version}-%{release}
-Provides:       el_api = %{elspec}
 Obsoletes:      %{app_name}-el-2_2-api < %{version}
-Obsoletes:      el_api < %{elspec}
 
 %description el-%{elspec_major}_%{elspec_minor}-api
 Expression Language API version %{elspec}.
@@ -217,15 +213,11 @@ Javadoc generated documentation files for Apache Tomcat.
 %package jsp-%{jspspec_major}_%{jspspec_minor}-api
 Summary:        Apache Tomcat JSP API implementation classes
 Group:          Productivity/Networking/Web/Servers
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 Conflicts:      %{app_name}-implementation-jsp-api
 Provides:       %{app_name}-implementation-jsp-api = %{version}
 Provides:       %{app_name}-jsp-%{jspspec}-api
-Provides:       jsp = %{jspspec}
 Provides:       jsp%{jspspec_major}%{jspspec_minor}
 Obsoletes:      %{app_name}-jsp-2_2-api < %{version}
-Obsoletes:      jsp < %{jspspec}
 
 %description jsp-%{jspspec_major}_%{jspspec_minor}-api
 Apache Tomcat JSP API implementation classes version %{jspspec}
@@ -264,17 +256,13 @@ Libraries required to successfully run the Tomcat Web container
 %package servlet-%{servletspec_major}_%{servletspec_minor}-api
 Summary:        Apache Tomcat Servlet API implementation classes
 Group:          Productivity/Networking/Web/Servers
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 Conflicts:      %{app_name}-implementation-servlet-api
 Provides:       %{app_name}-implementation-servlet-api = %{version}
 Provides:       %{app_name}-servlet-%{servletspec}-api = %{version}-%{release}
-Provides:       servlet = %{servletspec}
 Provides:       servlet11
 Provides:       servlet60
 Obsoletes:      %{app_name}-servlet-3_0-api < %{version}
 Obsoletes:      %{app_name}-servlet-3_1-api < %{version}
-Obsoletes:      servlet < %{servletspec}
 
 %description servlet-%{servletspec_major}_%{servletspec_minor}-api
 Apache Tomcat Servlet API implementation classes version %{servletspec}
@@ -598,14 +586,6 @@ echo "tomcat/catalina-ant" > %{buildroot}/%{_sysconfdir}/ant.d/catalina-ant
 #bnc#565901
 ln -sf %{_sbindir}/%{app_name} %{buildroot}/%{bindir}/catalina.sh
 
-# Install update-alternatives content
-mkdir -p %{buildroot}%{_sysconfdir}/alternatives
-ln -s -f %{_sysconfdir}/alternatives/el_api %{buildroot}%{_javadir}/%{app_name}-el_api.jar
-ln -s -f %{_sysconfdir}/alternatives/jsp %{buildroot}%{_javadir}/%{app_name}-jsp.jar
-# To avoid conflicts with servletapi4 and servletapi5 create a link to incorrect /etc/alternatives/servlet.jar.
-# It will be changed anyways to the correct symlink by update-alternatives.
-ln -s -f %{_sysconfdir}/alternatives/servlet.jar %{buildroot}%{_javadir}/servlet.jar
-
 %pre
 # add the tomcat user and group
 getent group tomcat >/dev/null || %{_sbindir}/groupadd -r tomcat
@@ -637,49 +617,6 @@ runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml %{confdir
 %postun jsvc
 %service_del_postun %{app_name}-jsvc.service
 
-%post el-%{elspec_major}_%{elspec_minor}-api
-update-alternatives --install %{_javadir}/%{app_name}-el_api.jar el_api %{_javadir}/%{app_name}-el-%{elspec}-api.jar 20300
-
-%postun el-%{elspec_major}_%{elspec_minor}-api
-if [ $1 -eq 0 ] ; then
-    update-alternatives --remove el_api %{_javadir}/%{app_name}-el-%{elspec}-api.jar
-fi
-
-%post jsp-%{jspspec_major}_%{jspspec_minor}-api
-update-alternatives --install %{_javadir}/%{app_name}-jsp.jar jsp \
-    %{_javadir}/%{app_name}-jsp-%{jspspec}-api.jar 20200
-
-%postun jsp-%{jspspec_major}_%{jspspec_minor}-api
-if [ $1 -eq 0 ] ; then
-    update-alternatives --remove jsp \
-        %{_javadir}/%{app_name}-jsp-%{jspspec}-api.jar
-fi
-
-%post servlet-%{servletspec_major}_%{servletspec_minor}-api
-update-alternatives --install %{_javadir}/servlet.jar servlet \
-    %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar 30000
-# Fix for bsc#1092163.
-# Keep the /usr/share/java/tomcat-servlet.jar symlink for compatibility.
-# In case of update from an older version where /usr/share/java/tomcat-servlet.jar is an alternatives symlink
-# the update-alternatives in the new version will cause a rename tomcat-servlet.jar -> servlet.jar.
-# This makes sure the %{app_name}-servlet.jar is recreated if it's missing because of the rename.
-if [ ! -f %{_javadir}/%{app_name}-servlet.jar ]; then
-    echo "Recreating symlink %{_javadir}/%{app_name}-servlet.jar"
-    ln -s %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar %{_javadir}/%{app_name}-servlet.jar
-fi
-
-%postun servlet-%{servletspec_major}_%{servletspec_minor}-api
-if [ $1 -eq 0 ] ; then
-    if [ ! -f %{_sysconfdir}/alternatives/servlet ]; then
-        # servlet was removed on uninstall.
-        # Create a broken symlink to make sure update-alternatives works correctly and falls back
-        # to servletapi5 or servletapi4 if they're installed.
-        ln -s %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar %{_sysconfdir}/alternatives/servlet
-    fi
-    update-alternatives --remove servlet \
-        %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar
-fi
-
 %post lib
 # those links are no longer needed
 rm -f \
@@ -803,11 +740,6 @@ fi
 %{_javadir}/%{app_name}-el-%{elspec}-api.jar
 %{_javadir}/%{app_name}-el-api.jar
 %{libdir}/%{app_name}-el-%{elspec}-api.jar
-%ghost %{_javadir}/%{app_name}-el_1_0_api.jar
-%ghost %{_javadir}/%{app_name}-el_api.jar
-%ghost %{_sysconfdir}/alternatives/%{app_name}-el_api.jar
-%ghost %{_sysconfdir}/alternatives/el_1_0_api
-%ghost %{_sysconfdir}/alternatives/el_api
 
 %files doc
 %doc %{_javadocdir}/%{app_name}
@@ -815,9 +747,6 @@ fi
 %files jsp-%{jspspec_major}_%{jspspec_minor}-api -f output/dist/src/res/maven/.mfiles-jsp-api
 %{_javadir}/%{app_name}-jsp-%{jspspec}-api.jar
 %{_javadir}/%{app_name}-jsp-api.jar
-%ghost %{_javadir}/%{app_name}-jsp.jar
-%ghost %{_sysconfdir}/alternatives/%{app_name}-jsp.jar
-%ghost %{_sysconfdir}/alternatives/jsp
 
 %files lib -f output/dist/src/res/maven/.mfiles
 %{libdir}
@@ -837,10 +766,6 @@ fi
 %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar
 %{_javadir}/%{app_name}-servlet-api.jar
 %{_javadir}/%{app_name}-servlet.jar
-%{_javadir}/servlet.jar
-%ghost %{_sysconfdir}/alternatives/tomcat-servlet.jar
-%ghost %attr(-,root,root) %{_sysconfdir}/alternatives/servlet.jar
-%ghost %attr(-,root,root) %{_sysconfdir}/alternatives/servlet
 
 %files webapps
 %defattr(0644,root,tomcat,0755)